What do you do with unverified users?
My project ankidecks.com has been live for about two months now. I've recently started getting a stream of signups using legitimate looking emails, but clearly garbage usernames ("DgvIewBsJyGu", "sIkmJLzVYFj") that never verify their emails.
I'm curious what other indie hackers do - do you just let them be? Delete them? Maybe set an expiry period?
Trending on Indie Hackers
You guys aren't answering his question.
He's not asking how to prevent them.
He's asking what to do with them after they've signed up.
To OP, I leave them alone. They're harmless, apart from taking up some negligible disk space. Because I have an email verification system, nobody can do anything until they verify their email with me. So literally each of those emails only occupy one row on my database.
Leave them alone and move on.
I would try a honeypot before implementing captcha.
Like an invisible password field?
Yeah. Just make sure it works well with password managers (like 1password), because it may screw up those, and that will be a big UX issue.
Ooh, good point!
We, at https://tefter.io soft ban them. Their account and anything they post can only be seen by them.
If you have a standard privacy policy (and in the long run you need one), you should have defined a maximum retention period. At the end of that period (which could be weeks, months or years depending on your product), it's customary to send a reminder email alerting of upcoming deletion, and then after a little while, you delete all associated data.
I would suggest doing something similar for unverified emails, as a last chance to validate and activate it. Only use a shorter period (say 2 weeks?). Other than that, the only harm is your mental space, and the possible bias in your data analytics. Don't sweat it.
I stopped having the problem when I added recaptcha
Use Passwordless solutions for sign up and sign in. So, they have to verify their email before sign up.
Also, you can use login with social accounts
I always use Amazon Cognito as user directory, which charge only active users, I send follow-ups to only verified users too. Then I simply ignore unverified users.
Had the same exact problem. Used to get around 300-400 garbage spam signups for Prospectss almost everyday. Like @yj didn't wanted to make the signup harder, so I implemented invisible captcha! and no more garbage signups! 🥳
Invisible captcha? Something like putting a hidden input that says "password" and if it's filled in, throwing out the submission?
No, I was referring to this: https://developers.google.com/recaptcha/docs/invisible
Although there is a similar method to what you are suggesting to, where you create a hidden input field that the users cannot see so they wouldn't fill those fields but bots would fill it out so you can identify if it was bot signup. Although I had used this technique in one of my other project, it isn't 100% effective. I would say use the Google Invisible reCaptcha.
I'm having the exact same thing happen to my site. Legitimate looking emails, but with randomly generated strings as the name.
There's no obvious reason why someone would want to automate fake accounts on my site, so it's quite confusing.
I previously asked about the same thing on IH and someone suggested using a captcha on sign up. I didn't follow the suggestion because I'd rather not make sign up harder, but it's a valid option.
That's exactly what I'm thinking "why would anyone want fake accounts on my site?"
Probably bots that just sign up for any/every signup form they come across.
Maybe you need to create some sort of incent in your product which they can't reach without confirming their account?
Figure out the reason for the user of creating the account, and from there ask yourself if there's some minor but important functionality (Like interact with other users) that could be this incent? - Activate your account to do this/that
They problem is more that the accounts are pretty clearly fake and I'm not sure what to do with them.
Do you send follow-ups emails to unverified users? You can increase your activation rate with 2-3 follow-ups emails if a user does not confirm the email with the first confirmation message. After such a campaign, you can, for sure, delete unverified users.
Follow up emails are a good idea - on the small small chance that there is a real user buried in the noise.
I've had this on my todo list for a while. Still haven't visited it, but need to.
I'm not exactly sure what the options are. Thinking about a timed job that deletes any users who have a status of 'inactive' in the database, and their verification code db field has a timestamp in the past. If that makes sense.
Sure, this is what I'm leaning towards as well. If they haven't verified their email for a month - delete!
I'm also curious about these emails I am collecting. Have they been stolen? I wonder if I can submit them somewhere to say "these are bad actors"?
They're likely just making up the emails - but I'm sure some of them have actual mailboxes somewhere. Probably have a list in a file that is part of the script that runs and fills in forms like yours.
EDIT: guess you did mention further below, that they mostly seem legit.
I just started verifying them right from the get go.
In your case, you may want to verify these emails using a tool like NeverBounce before sending anything.
Also providers like Amazon SES have a mechanism so they let you know in case an email bounces (so you don't send again).
I'm not having any issue with emails bouncing - (almost) all the emails seem to make it to their final destination. But nobody clicks the link to verify.
There was a product I saw the other day on product hunt. It’s an toolbox api for developers, maybe you can use it to filter spam/free emails? Abstract API
This comment was deleted 3 years ago.
It doesn't really cost anything - besides filling up the db with bunch of junk users.
I think reminders are a good idea - give them one last chance.